diff --git a/submariner-operator/templates/rbac.yaml b/submariner-operator/templates/rbac.yaml index 03e0348..ae1a370 100644 --- a/submariner-operator/templates/rbac.yaml +++ b/submariner-operator/templates/rbac.yaml @@ -9,62 +9,78 @@ metadata: chart: {{ template "submariner.chart" . }} app: {{ template "submariner.name" . }} rules: -- apiGroups: - - "" - resources: - - pods - - services - - services/finalizers - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - verbs: - - '*' -- apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - '*' -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create -- apiGroups: - - apps - resourceNames: - - {{ template "submariner.fullname" . }} - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - pods - verbs: - - get -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get -- apiGroups: - - submariner.io - resources: - - '*' - - servicediscoveries - verbs: - - '*' + - apiGroups: + - "" + resources: + # For metrics + - services + verbs: + - get + - create + - update + - apiGroups: + - "" + resources: + # For syncing Secrets from the broker + - secrets + verbs: + - get + - create + - update + - delete + - apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - monitoring.coreos.com + resources: + # Needed for openshift monitoring + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - {{ template "submariner.fullname" . }} + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - submariner.io + resources: + - brokers + - brokers/status + - submariners + - submariners/status + - servicediscoveries + - servicediscoveries/status + verbs: + - get + - list + - watch + - create + - update + - delete + - apiGroups: + - submariner.io + resources: + - gateways + verbs: + - get + - list + - watch --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -93,86 +109,47 @@ metadata: chart: {{ template "submariner.chart" . }} app: {{ template "submariner.name" . }} rules: -- apiGroups: - - "" - resources: - - pods - - services - - services/finalizers - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - verbs: - - '*' -- apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - '*' -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create -- apiGroups: - - apps - resourceNames: - - submariner-operator - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - pods - verbs: - - get -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get -- apiGroups: - - submariner.io - resources: - - '*' - - servicediscoveries - verbs: - - '*' -- apiGroups: - - lighthouse.submariner.io - resources: - - '*' - - serviceexports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - delete + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - update + - patch + - apiGroups: + - submariner.io + resources: + - clusters + - endpoints + - gateways + verbs: + - get + - list + - watch + - create + - update + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - delete + - apiGroups: + - "" + resources: + # For leader election + - configmaps + verbs: + - get + - create + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -202,74 +179,13 @@ metadata: chart: {{ template "submariner.chart" . }} app: {{ template "submariner.name" . }} rules: - - apiGroups: - - "" - resources: - - pods - - services - - services/finalizers - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - verbs: - - '*' - - apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - '*' - - apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create - - apiGroups: - - apps - resourceNames: - - submariner-operator - resources: - - deployments/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - apps - resources: - - replicasets - verbs: - - get - apiGroups: - submariner.io resources: - - '*' - - servicediscoveries - verbs: - - '*' - - apiGroups: - - lighthouse.submariner.io - resources: - - '*' - - serviceexports + - endpoints verbs: - - create - - delete - get - list - - patch - - update - watch --- apiVersion: rbac.authorization.k8s.io/v1 @@ -300,76 +216,6 @@ metadata: release: {{ .Release.Name | quote }} chart: {{ template "submariner.chart" . }} app: {{ template "submariner.name" . }} -rules: - - apiGroups: - - "" - resources: - - pods - - services - - services/finalizers - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - verbs: - - '*' - - apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - '*' - - apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create - - apiGroups: - - apps - resourceNames: - - submariner-operator - resources: - - deployments/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - apiGroups: - - submariner.io - resources: - - '*' - - servicediscoveries - verbs: - - '*' - - apiGroups: - - lighthouse.submariner.io - resources: - - '*' - - serviceexports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -400,9 +246,6 @@ metadata: chart: {{ template "submariner.chart" . }} app: {{ template "submariner.name" . }} rules: - # submariner-operator updates the config map of core-dns to forward requests to - # clusterset.local to Lighthouse DNS, also looks at existing configmaps - # to figure out network settings - apiGroups: - "" resources: @@ -424,9 +267,10 @@ rules: - update - delete - watch - - apiGroups: # pods, services and nodes are looked up to figure out network settings + - apiGroups: - "" resources: + # Needed for network settings discovery - pods - services - nodes @@ -440,31 +284,31 @@ rules: - dnses verbs: - get - - list - - watch - update - apiGroups: - config.openshift.io resources: + # Needed for network settings discovery - networks + resourceNames: + - cluster verbs: - get - - list - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch - apiGroups: - monitoring.coreos.com resources: + # Needed for openshift monitoring - servicemonitors verbs: - get - create + - apiGroups: + - apps + resources: + # Needed for Flannel CNI discovery + - daemonsets + verbs: + - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -523,21 +367,7 @@ rules: - configmaps verbs: - get - - list - - watch - - create - - update - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - create - - update - - delete - - apiGroups: # pods and services are looked up to figure out network settings - "" resources: - pods @@ -547,32 +377,6 @@ rules: - get - list - watch - - apiGroups: - - operator.openshift.io - resources: - - dnses - verbs: - - get - - list - - watch - - update - - apiGroups: - - config.openshift.io - resources: - - networks - verbs: - - get - - list - - apiGroups: - - submariner.io - resources: - - endpoints - - gateways - - clusters - verbs: - - get - - list - - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -604,57 +408,30 @@ metadata: rules: - apiGroups: - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - update - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - create - - update - - delete - - apiGroups: # pods and services are looked up to figure out network settings - - "" resources: - pods - services + - configmaps verbs: - get - list - - watch - - apiGroups: - - operator.openshift.io - resources: - - dnses - verbs: - - get - - list - - watch - - update - apiGroups: - config.openshift.io resources: - networks + resourceNames: + - cluster verbs: - get - - list - apiGroups: - "" + resources: + - nodes verbs: - get - list - watch - update - resources: - - nodes --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -688,8 +465,6 @@ rules: - apiGroups: - "" resources: - - pods - - namespaces - nodes - endpoints verbs: @@ -697,6 +472,14 @@ rules: - list - watch - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -711,8 +494,8 @@ rules: - apiGroups: - submariner.io resources: - - endpoints - clusters + - endpoints verbs: - get - list @@ -743,7 +526,7 @@ rules: - apiGroups: - multicluster.x-k8s.io resources: - - "serviceexports" + - serviceexports verbs: - get - list @@ -798,7 +581,6 @@ rules: - get - list - watch - - update - apiGroups: - discovery.k8s.io resources: @@ -815,8 +597,8 @@ rules: - apiGroups: - submariner.io resources: - - "gateways" - - "globalingressips" + - gateways + - globalingressips verbs: - get - list @@ -824,7 +606,8 @@ rules: - apiGroups: - multicluster.x-k8s.io resources: - - "*" + - serviceimports + - serviceimports/status verbs: - create - get @@ -832,6 +615,20 @@ rules: - watch - update - delete + - apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports + verbs: + - get + - list + - watch + - apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports/status + verbs: + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -860,30 +657,23 @@ rules: - "" resources: - services - - namespaces - - endpoints verbs: - get - list - watch - - update - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - - create - get - list - watch - - update - - delete - - deletecollection - apiGroups: - submariner.io resources: - - "gateways" - - "submariners" + - gateways + - submariners verbs: - get - list @@ -891,14 +681,11 @@ rules: - apiGroups: - multicluster.x-k8s.io resources: - - "*" + - serviceimports verbs: - - create - get - list - watch - - update - - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding